Sending syslog from Linux systems into Graylog

Published

30 Nov 07:05

Last Push

06 Nov 07:01

Marketplace Rating

Discussion

4 Comments

Readme from Github

Sending syslog from Linux systems into Graylog

The two most popular syslog deamons (the programs that run in the background to accept and write or forward logs) are rsyslog and syslog-ng. One of these will most likely be running on your Linux distribution.

Please refer to the documentation of your distribution if you are not sure about this.

⚠️ Warning ⚠️

These instructions configure rsyslog and syslog-ng to send log messages unencrypted over the network. This is generally not recommended on public networks.

rsyslog

Forwarding syslog messages with rsyslog is easy. The only important thing to get the most out of your logs is following RFC 5424. The following examples configure your rsyslog daemon to send RFC 5424 date to Graylog syslog inputs:

UDP:

*.* @graylog.example.org:514;RSYSLOG_SyslogProtocol23Format

TCP:

*.* @@graylog.example.org:514;RSYSLOG_SyslogProtocol23Format

(The difference between UDP and TCP is using @ instead of @@ as target descriptor.)

The above configuration should be placed as new file ending in .conf in /etc/rsyslog.d/ and rsyslog should be restarted. In addition the port 514 on the Graylog server need to be reachable from the sending server.

Old rsyslog

If you're using a very old version of rsyslog (versions before rsyslog 5.10) which doesn't provide the built-in RSYSLOG_SyslogProtocol23Format template, you can create a custom message template.

For UDP this becomes:

$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
*.* @graylog.example.org:514;GRAYLOGRFC5424

syslog-ng

Configuring syslog-ng to send syslog to Graylog is equally simple. Use the syslog function to send RFC 5424 formatted syslog messages via TCP to the remote Graylog host:

# Define TCP syslog destination.
destination d_net {
    syslog("graylog.example.org" port(514));
};
# Tell syslog-ng to send data from source s_src to the newly defined syslog destination.
log {
    source(s_src); # Defined in the default syslog-ng configuration.
    destination(d_net);
};

Your Rating

Please sign in to rate this add-on.

Comments

willman42 over 1 year ago

On my Debian 9.9 system, syslog-ng v3.8, I had to change "syslog("[graylog_IP]" port(514));" to udp("[graylog_IP]" port(514));" to get it to work. Not sure where the syslog() function is defined, but maybe it defaults to using tcp? In Graylog, my Input was set to Syslog UDP too.

waynekearns over 2 years ago

for those who read this.
0x23marco.
The server "graylog.example.org" will not resolve, and syslog-ng will balk when it attempts to set up the forwarding to a non-existent IP address. Set it to a hostname that you are certain will resolve and will not change frequently.

0x23marco over 2 years ago

Regarding the syslog-ng configuration I experienced an error not sure how to resolve.
Restart syslog-ng throws an exception: "Starting syslog servicessyntax error at X" that's this syslog("graylog.example.org" port(514));

Any hints where the syntax error is?
thanks

fizzmonitoring over 3 years ago

Just to mention that currently only legacy rsyslog syntax is documented,
the more modern approach would be:

action(type="omfwd" target="127.0.0.1" port="10514" template="RSYSLOG_SyslogProtocol23Format")

Please sign in to comment.

Back to listing